rule Linux_Exploit_Vmsplice_cfa94001 {
    meta:
        author = "Elastic Security"
        id = "cfa94001-6000-4633-9af2-efabfaa96f94"
        fingerprint = "3fb484112484e2afc04a88d50326312af950605c61f258651479427b7bae300a"
        creation_date = "2021-01-12"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Vmsplice"
        reference_sample = "0a26e67692605253819c489cd4793a57e86089d50150124394c30a8801bf33e6"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 7A 00 21 40 23 24 00 6D 6D 61 70 00 5B 2B 5D 20 6D 6D 61 70 3A }
    condition:
        all of them
}

rule Linux_Exploit_Vmsplice_a000f267 {
    meta:
        author = "Elastic Security"
        id = "a000f267-b4d7-46e9-ab61-818633083ba2"
        fingerprint = "0753ef1bc3e151fd6d4773967b5cde6ad789df593e7d8b9ed08052151a1a1849"
        creation_date = "2021-01-12"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Vmsplice"
        reference_sample = "c85cc6768a28fb7de16f1cad8d3c69d8f0b4aa01e00c8e48759d27092747ca6f"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 24 04 73 00 00 00 89 44 24 00 CF 83 C4 10 5B C9 C3 55 89 E5 83 }
    condition:
        all of them
}

rule Linux_Exploit_Vmsplice_8b9e4f9f {
    meta:
        author = "Elastic Security"
        id = "8b9e4f9f-7903-4aa5-9098-766f4311a22b"
        fingerprint = "585b16ad3e4489a17610f0a226be428def33e411886f273d0c1db45b3819ba3f"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Vmsplice"
        reference_sample = "0230c81ba747e588cd9b6113df6e1867dcabf9d8ada0c1921d1bffa9c1b9c75d"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 00 00 00 00 20 4C 69 6E 75 78 20 76 6D 73 70 6C }
    condition:
        all of them
}

rule Linux_Exploit_Vmsplice_055f88b8 {
    meta:
        author = "Elastic Security"
        id = "055f88b8-b1b0-4b02-8fc5-97804b564d27"
        fingerprint = "38f7d6c56ee1cd465062b5c82320710c4d0393a3b33f5586b6c0c0c778e5d3b2"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Vmsplice"
        reference_sample = "607c8c5edc8cbbd79a40ce4a0eccf46e01447985d9415d1eff6a91bf64074507"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 2D 2D 2D 00 20 4C 69 6E 75 78 20 76 6D 73 70 6C }
    condition:
        all of them
}

rule Linux_Exploit_Vmsplice_431e689d {
    meta:
        author = "Elastic Security"
        id = "431e689d-0c41-4c92-98b0-0dac529d8328"
        fingerprint = "1e8aee445a3adef6ccbd2d25f7b38202bef98a99b828eda56fb8b9269b6316b4"
        creation_date = "2021-06-28"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Vmsplice"
        reference = "1cbb09223f16af4cd13545d72dbeeb996900535b1e279e4bcf447670728de1e1"
        severity = "100"
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 69 6F 6E 00 70 75 74 65 6E 76 00 73 74 64 6F 75 74 00 73 65 }
    condition:
        all of them
}

